It's sad to see that even after all these years, we still have to write articles like this one. It's all over the web right now: a new backdoor Mac OS X trojan discovered! Code execution! Indicative of rise in Mac malware! Until, of course, you actually take a look at what's going on, and see that not only is it not in the wild, it can't really do anything because it's a beta.

Do the Apple guys put agressive sandboxing in Xcode's basic application, as a default Xcode setting ? Do they mention sandboxing in their tutorials and doc ? Sure, if it's just some random feature lying around along with the thousand of others, things are certainly not likely to change... Until the day where security issues will become critical, that is, and that day Apple will have no choice but to *brutally* sandbox everything, the UAC way (and we both know how effective this is, as you mention it in your comment).

Yes, Microsoft has pushed it as soon as it appeared in Windows and same with Apple when it first appeared in Mac OS X. Developers don't add it because they're lazy but I do think there is one way they can get people to do it - by making it a requirement for applications submitted to the AppStore. If they make it a requirement for the AppStore then you might find vendors.

Btw, UAC doesn't sandbox a thing - UAC is temporary privilege escalation and nothing to do with sandboxing. All UAC tells you is that an application is requesting privilege escalation but but it doesn't actually sandbox the application in anyway when running as a normal user. Windows has sandboxing and Adobe is finally using it for Acrobat X (but not comprehensively) in much the same way that Google has taken advantage of sandboxing in Windows and Mac OS X.